Ports running on start-up

[Death_Knight]

http://www.doshelp.com/trojanports.htm

can someone explains the ports running when i'm starting computer without connected to net. some of this ports like tcp 135 is netbios. how do i remove it from running?

why is there 3 type of ip in the local address example 0.0.0.0:135 , 127.0.0.1 , 169.254.222.119. and foreign address with *:*

i'm on a ethernet modem, these ports are expecting a connection?

http://www.antionline.com/showthread...hreadid=159847

i read this thread. how do i differentiate a trojan/backdoor or it is a window services running.

[infosecguru2]

Windows XP by default has certain ports open in order to communicate with other Windows computers in a networked invironment. For example, port 445 is the port for SMB, which facilitates file sharing, remote registry, and administration. Port 135 is MSRPC used for RPC-based communications. If you have a port open above 1200, then I might start to worry.


As far as the local and foreign IP's go, there are three types. A port listening on 127.0.0.1 is listening on the loopback interface(lo in *nix). It is used for IPC and only programs on your computer can communicate with those endpoints. 0.0.0.0 in the local address indicates that port is listening on all interfaces. A listening port on any other IP address indicates it is listening on some externally-facing interface. The last two are accessible from the network.
Note: if the foreign address is *.*, you are mostly looking at a UDP endpoint. UDP is a connectionless protocol and will never identify a connection with another IP address.

[w0rm3y]

trying running MBSA, it will tell you more information:

http://www.microsoft.com/technet/tre...s/MBSAhome.asp

-w0rm3y

[thehorse13]

You can stop netbios services on your NIC by going into the advanced section under TCP/IP and unbinding it. If you need step-by-step instructions, let me know. RPC is one thing that you wont want to disable because Windows relies heavily on it. The locator service on port 135 would be what I'm referring to here. Task schedular is also running but I wouldn't consider that a huge issue. If you're not using it, disable it as some attacks can run using this service.

[SirDirge]

The ports which are open are port on wich the OS listens on. Thats how NMap is able to determine what type of OS the victim is using so quickly as it checks for what listening ports there are. To stop Netbios you should go into your internet options (Start -> Settings -> Control Panel -> Modem [I think]). From there you can disable Netbios.
I also suggest that you use a good firewall such as Sygate and add a rule to it to block everything on the ports 135-139 and make sure that it only allows the programs you trust the most to access the internet. Everything else has no reason to go there.

[infosecguru2]

If you are on a LAN with other computers that you share files between, leave those ports open, otherwise unbind netbios as mentioned by thehorse AND disable the server service from Start Menu->Administrative Tools->Services. That will unbind port 445.

[Death_Knight]

i have disable NetBios... i'm not on LAN. If a crackers plants a backdoor in my computer or he breaks into computer, if i do a netstat i would be able to see a connection from the attacker? would he be able to hide this information shown in netstat.

I have another question, my friend told me that router is a firewall as well. i thought it determines the next network point to which a packet should be forwarded toward its destination. How would it be able function as a firewall? hardware firewall and software firewall which is a stronger ability to lockdown my pc. I know most of the people would choose hardware firewall, why is it so?

Thanks alot.

[|The|Specialist]

Yeah routers can be used as a firewall... like you said it can be used to forward data to somewhere in your network but it can also be used to drop and/or audit certian things in the network. As for the hardware vs. software firewalls... from what I've seen so far a hardware FW and software FW will protect almost evenly but they both have different ups and downs. (Example) Hardware FW: malware can't kill it nearly as easyly, it doesn't take up alot of space on your HD, but you'd go though hell trying to keep hardware firewalls updated though.

[infosecguru2]

in reply to your netstat question:

If the trojan or backdoor was listening on a port, under most circumstances it would show up in a netstat -a. However, if your system was rootkitted, either the API that netstat uses or the netstat binary itself could be hacked, giving a false readout. In order to see whats really open, do a portscan from another puter.